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DETAILED ACTION 



Information Disclosure Statement 

1 . The Information Disclosure Statement (IDS) filed on August 20, 2002, has 
been received and considered by the examiner. 



Specification 

1. The disclosure is objected to because of the following informalities: On page 
13, line 16, the examiner feels "Fig. 13d" should have been referenced instead of "Fig. 
13b". Appropriate correction is required. 



2. The lengthy specification has not been checked to the extent necessary to 
determine the presence of all possible minor errors. Applicant's cooperation is 
requested in correcting any errors of which applicant may become aware in the 
specification. 

Claim Rejections - 35 USC § 102 

1 . The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 
that form the basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351(a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 
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2. Claims 1-48 are rejected under 35 U.S.C. 102(e) as being anticipated by 
Porras et al. (hereinafter Porras), U.S. patent 6,321,338. 

3. In considering claim 1 , Porras discloses a network comprising: 

a) A plurality of network nodes, (see Fig. 1); 

b) A plurality of routing devices to route network traffic between network 
nodes, (col. 3, lines 44-45); 

c) A director coupled to the routing devices to determine whether selected 
instances of source addresses of packets routed by the routing devices 
are spoof source addresses, based on consistency measures, (col. 1, 
lines 43-53). 

4. In considering claim 2, the method of Porras provides a means for 
determining whether selected instances of source addresses of packets routed by the 
routing devices are spoof source addresses, based on spatial distribution profiles of 
source addresses in view of a reference source address spatial distribution profile. See 
col. 5, lines 36-51. 

5. In considering claim 3, the method of Porras provides a means for the 
reference source address spatial distribution profile to comprise a historical spatial 
distribution profile for a particular address. See col. 5, lines 38-40. 
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6. In considering claim 4, the method of Porras provides a means for 
determining whether selected instances of source addresses of packets routed by the 
routing devices are spoof source addresses, based on destination source address 
range (DSAR) distribution profiles of the source addresses in view of a reference DSAR 
distribution profile. See col. 5, lines 36-51 . 

7. In considering claim 5, the method of Porras provides a means for the 
reference DSAR distribution profile to comprise a historical DSAR distribution profile for 
a particular address. See col. 5, lines 38-40. 

8. In considering claim 6, the method of Porras provides a means for 
determining whether selected instances of source addresses of packets routed by the 
routing devices are spoof source addresses, based on migration distribution profiles of 
source addresses in view of a reference source address migration distribution profile. 
See col. 5, lines 36-51. 

9. In considering claim 7, the method of Porras provides a means for the 
reference source address migration distribution profile to comprise a historical migration 
distribution profile for a particular address. See col. 5, lines 38-40. 
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10. In considering claim 8, the method of Porras provides a means for 
determining whether selected instances of source addresses of packets routed by the 
routing devices are spoof source addresses, based on timing distribution profiles of 
source addresses in view of a reference source address timing distribution profile. See 
col. 5, lines 36-51. 

1 1 . In considering claim 9, the method of Porras provides a means for the 
reference source address timing distribution profile to comprise a historical timing 
distribution profile for a particular address. See col. 5, lines 38-40. 

12. In considering claim 10, the method of Porras teaches the director being 
equipped to determine whether filtering actions are to be taken amongst particular 
routing devices. See col. 9, lines 57-63. 

13. In considering claim 1 1 , it is inherent in the method of Porras that the director 
takes into consideration, when making its determination, whether packets of non-spoof 
instances of a source address having instances deemed to be spoof source addresses 
are likely to be routed in the network. See col. 9, lines 57-63. 

14. In considering claim 12, the method of Porras teaches a plurality of director 
devices cooperatively coupled to each other to jointly make determinations. See col. 3, 
lines 16-40. 
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1 5. In considering claim 1 3, the method of Porras further teaches a plurality of 
sensors for monitoring and reporting source addresses of packets routed through 
routing devices. See col. 3, lines 42-45. 

16. In considering claim 14, the method of Porras further teaches sensors 
facilitating application of the desired source address based filtering on packets being 
routed through the routing devices. See col. 3, lines 55-65. 

17. In considering claim 15, Porras discloses a networking method comprising: 

a) Receiving information associated with source addresses of packets being 
routed to and from a plurality of network nodes, and determining whether 
selected instances of the source addresses are spoof instances based on 
consistency measures, (col. 1, lines 43-53); 

b) Managing the network based, at least in part, on the results of the 
determination, (col. 1, lines 66-67, col. 2, lines 1-7). 

18. In considering claim 16, the method of Porras provides a means for 
determining whether selected instances of source addresses of packets are spoof 
source addresses, based on spatial distribution profiles of source addresses in view of a 
reference source address spatial distribution profile. See col. 5, lines 36-51. 
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19. In considering claim 17, the method of Porras further provides a means for 
constructing the spatial distribution profiles. See col. 5, lines 4-36. 

20. In considering claim 18, the method of Porras further provides a means for 
determining whether each of the spatial distribution profiles is within a resemblance 
tolerance limit when compared to each of the at least one reference source address 
spatial distribution profiles. See col. 5, lines 38-40. 

21. In considering claim 19, the method of Porras provides a means for the 
reference source address spatial distribution profile to comprise a historical spatial 
distribution profile for a particular address. See col. 5, lines 38-40. 

22. In considering claim 20, the method of Porras provides a means for 
determining whether selected instances of source addresses of packets are spoof 
source addresses, based on DSAR distribution profiles of source addresses in view of a 
reference source address DSAR distribution profile. See col. 5, lines 36-51. 

23. In considering claim 21, the method of Porras further provides a means for 
constructing the DSAR distribution profiles. See col. 5, lines 4-36. 

24. In considering claim 22, the method of Porras further provides a means for 
determining whether each of the DSAR distribution profiles is within a resemblance 




Application/Control Number: 09/777,550 Page 8 

Art Unit: 2151 

tolerance linnit when compared to each of the at least one reference source address 
DSAR distribution profiles. See col. 5, lines 38-40. 

25. In considering claim 23, the method of Porras provides a means for the 
reference source address DSAR distribution profile to comprise a historical DSAR 
distribution profile for a particular address. See col. 5, lines 38-40. 

26. In considering claim 24, the method of Porras provides a means for 
determining whether selected instances of source addresses of packets are spoof 
source addresses, based on migration distribution profiles of source addresses in view 
of a reference source address migration distribution profile. See col. 5, lines 36-51 . 

27. In considering claim 25, the method of Porras further provides a means for 
constructing the migration distribution profiles. See col. 5, lines 4-36. 

28. In considering claim 26, the method of Porras further provides a means for 
determining whether each of the migration distribution profiles is within a resemblance 
tolerance limit when compared to each of the at least one reference source address 
migration distribution profiles. See col. 5, lines 38-40. 
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29. In considering claim 27, the method of Porras provides a means for the 
reference source address migration distribution profile to comprise a historical migration 
distribution profile for a particular address. See col. 5, lines 38-40. 

30. In considering claim 28, the method of Porras provides a means for 
determining whether selected instances of source addresses of packets are spoof 
source addresses, based on timing distribution profiles of source addresses in view of a 
reference source address timing distribution profile. See col. 5, lines 36-51. 

31 . In considering claim 29, the method of Porras further provides a means for 
constructing the timing distribution profiles. See col. 5, lines 4-36. 

32. In considering claim 30, the method of Porras further provides a means for 
determining whether each of the timing distribution profiles is within a resemblance 
tolerance limit when compared to each of the at least one reference source address 
timing distribution profiles. See col, 5, lines 38-40. 

33. In considering claim 31 , the method of Porras provides a means for the 
reference source address timing distribution profile to comprise a historical timing 
distribution profile for a particular address. See col. 5, lines 38-40. 




Application/Control Number: 09/777,550 Page 10 

Art Unit: 2151 

34. In considering claim 32, the method of Porras teaches, in managing the 
network, determining whether filtering actions are to be taken amongst particular routing 
devices. See col. 9, lines 57-63. 

35. In considering claim 33, it is inherent in the method of Porras when making 
the determination, to take into consideration whether packets of non-spoof instances of 
a source address having instances deemed to be spoof source addresses are likely to 
be routed in the network. See col. 9, lines 57-63. 

36. In considering claim 34, Porras discloses an apparatus comprising: 

a) A storage medium having stored therein a plurality of programming 
instructions designed to implement a director to receive reporting of 
information associated with source addresses of packets routed through a 
plurality of routing devices of a network, and to determine whether at least 
some instances of the source addresses are spoof instances, and a 
processor coupled to the storage medium to execute the programming 
instructions, (col. 2, lines 25-35). 

37. In considering claim 35, the apparatus of Porras provides a means for 
determining whether selected instances of source addresses of packets are spoof 
source addresses, based on spatial distribution profiles of source addresses in view of a 
reference source address spatial distribution profile. See col. 5, lines 36-51. 
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38. In considering claim 36, the apparatus of Porras further provides a means for 
constructing the spatial distribution profiles. See col. 5, lines 4-36. 

39. In considering claim 37, the apparatus of Porras further provides a means for 
determining whether each of the spatial distribution profiles is within a resemblance 
tolerance limit when compared to each of the at least one reference source address 
spatial distribution profiles. See col. 5, lines 38-40. 

40. In considering claim 38, the apparatus of Porras provides a means for 
determining whether selected instances of source addresses of packets are spoof 
source addresses, based on DSAR distribution profiles of source addresses in view of a 
reference source address DSAR distribution profile. See col. 5, lines 36-51. 

41 . In considering claim 39, the apparatus of Porras further provides a means for 
constructing the DSAR distribution profiles. See col. 5, lines 4-36. 

42. In considering claim 40, the apparatus of Porras further provides a means for 
determining whether each of the DSAR distribution profiles is within a resemblance 
tolerance limit when compared to each of the at least one reference source address 
DSAR distribution profiles. See col. 5, lines 38-40. 
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43. In considering claim 41 , the apparatus of Porras provides a means for 
determining whether selected instances of source addresses of packets are spoof 
source addresses, based on migration distribution profiles of source addresses in view 
of a reference source address migration distribution profile. See col. 5, lines 36-51 . 

44. In considering claim 42, the apparatus of Porras further provides a means for 
constructing the migration distribution profiles. See col. 5, lines 4-36. 

45. In considering claim 43, the apparatus of Porras further provides a means for 
determining whether each of the migration distribution profiles is within a resemblance 
tolerance limit when compared to each of the at least one reference source address 
migration distribution profiles. See col. 5, lines 38-40. 

46. In considering claim 44, the apparatus of Porras provides a means for 
determining whether selected instances of source addresses of packets are spoof 
source addresses, based on timing distribution profiles of source addresses in view of a 
reference source address timing distribution profile. See col. 5, lines 36-51. 

47. In considering claim 45, the apparatus of Porras further provides a means for 
constructing the timing distribution profiles. See col. 5, lines 4-36. 
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48. In considering claim 46, the apparatus of Porras further provides a means for 
determining whether each of the timing distribution profiles is within a resemblance 
tolerance limit when compared to each of the at least one reference source address 
timing distribution profiles. See col. 5, lines 38-40. 

49. In considering claim 47, the method of Porras teaches instructions designed 
to be able to determine whether filtering actions are to be taken amongst particular 
routing devices. See col. 9, lines 57-63. 

50. In considering claim 48, it is inherent in the method of Porras that the 
programming instructions are designed to take into consideration whether packets of 
non-spoof instances of a source address having instances deemed to be spoof source 
addresses are likely to be routed in the network. See col. 9, lines 57-63. 

Conclusion 

1 . The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. 

Porras et al., U.S. patent 6,321,338 discloses a method and apparatus for 
monitoring a network for suspicious network activity. 
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2. Any inquiry concerning this communication or earlier communications from 
the examiner should be directed to Hassan Phillips whose telephone number is (703) 
305-8760. The examiner can normally be reached on M-F 8:00am-5:00pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Glenton Burgess can be reached on (703) 305-4792. The fax phone 
number for the organization where this application or proceeding is assigned is 703- 



Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). . 



872-9306. 
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